Privacy Policy
1. Who we are
The data controller for Drop Design System is akanoodles holdings limited, a private limited company registered in England & Wales, company number 16289830.
For data-subject requests, complaints, or any question about this policy: [email protected].
2. Summary
- Drop never sees your designs, layer names, variable names, or file content.
- We collect anonymised usage telemetry (events, traces, errors) and transmit it to our servers in the United Kingdom so we can diagnose faults and ship fixes faster. Identifiers are one-way hashed; we never see your email or licence key in this telemetry.
- You can disable cloud telemetry. You will be asked at sign-up; you can change your choice anytime in Settings → Privacy. Disabling keeps all telemetry local-only.
- If you sign in to Drop, we use a managed identity provider to handle your login and a managed database to store your subscription state. Stripe processes payment.
- We never see card numbers. Stripe handles all payment data via Checkout.
- You can request a data export or full deletion at any time — [email protected].
3. What we collect, when, and why
3.1 Telemetry events
When you use the Drop plugin, it records structured usage events. The fields in each event are:
| Field | What it contains |
|---|---|
name |
Event identifier, e.g. scan.complete, plugin.open — dotted string, no user content
|
category |
Top-level grouping (lifecycle / scan / fix / codegen / error / …) |
level |
Severity: info, warn, error |
ts |
ISO 8601 timestamp of the event |
pluginVersion |
Drop plugin semver, e.g. 1.0.0 |
sessionId |
UUID generated at plugin launch — rotates each open |
tenantId |
One-way SHA-256 hash of your account identifier. Not reversible |
licenseTier |
Plan tier: solo, pro, team, or enterprise |
fileHash |
One-way SHA-256 hash of the Figma file key. The raw key is never stored or transmitted |
traceId |
Optional internal correlation ID |
payload |
Event-specific data (counts, durations, error codes). Never contains design content, layer names, variable names, or payment information |
We do not transmit raw email addresses, licence keys, IP addresses, or device identifiers in
telemetry. A defence-in-depth filter at the ingest edge deletes any attribute matching known PII keys
(email, user.email, license_key, *.email) before signals reach
storage.
3.2 Where telemetry goes — and how to disable transmission
Default (cloud telemetry on): events are batched and transmitted over HTTPS to a bearer-token-authenticated endpoint and stored on a server hosted in the United Kingdom. We use telemetry to diagnose faults, surface error trends, and improve performance.
Opt out at sign-up. The first time you sign in, you are asked: "Help us improve Drop with anonymised telemetry? You can change this any time in Settings." If you choose No, the plugin keeps all telemetry local-only — written to a JSONL file on your own machine, never transmitted to akanoodles or any third party. Change your answer at any time in Settings → Privacy; the change takes effect immediately.
Retention. Cloud telemetry is retained for 90 days, after which it is automatically deleted. You can also request immediate deletion of everything we hold for you — see §6 below.
Legal basis (UK GDPR): Consent. We rely on your explicit yes/no answer at sign-up. If you opted out, no personal data is transmitted to akanoodles for this purpose.
Data residency. Telemetry is stored on infrastructure located in the United Kingdom. The UK has a European Commission adequacy decision in force under GDPR Article 45, so EU-resident users' data flows to the UK on a GDPR-compliant basis.
3.3 Account and subscription data
When you sign in to Drop, we collect:
- Your email address — used to authenticate you and send transactional emails (receipts, password resets, important service notices).
- Your subscription state — plan tier, status, current period end, and cancel-at-period-end flag.
- A one-way salted hash of your user identifier so we can map your account to your telemetry stream for GDPR Article-17 erasure requests.
We do not receive or store payment card numbers. Stripe Checkout collects payment information directly under their own privacy policy (stripe.com/privacy).
Legal basis: Contract performance — necessary to provide the Drop service you have subscribed to.
3.4 Feedback submissions
If you choose to send feedback from the plugin's Settings → Feedback screen, the following data is collected and emailed to [email protected] via a transactional email service:
- The feedback subject and description you write.
- Your email address (optional — only if you provide it).
- An optional screenshot you choose to attach.
We do not read your design files. Screenshots are taken only of the part of the screen you select.
Legal basis: Consent (you actively submit the feedback).
4. Sub-processors
We use a small number of third-party providers to operate Drop, in the following categories:
- Payment processing — to collect subscription payments and manage billing.
- Identity and database hosting — to authenticate you and store your subscription record.
- Cloud hosting and edge networking — to host our telemetry endpoint and the website you are reading.
- Transactional email — to deliver receipts and feedback submissions.
The current named list of sub-processors, the personal data each one handles, and the regions in which they operate is published in our Data Processing Addendum and is kept up to date there. Enterprise customers receive advance notice of material changes; other customers are notified via this website. We do not sell personal data to any third party.
5. International transfers
The personal data we hold about you is stored in the United Kingdom or the European Union, both of which are subject to UK GDPR adequacy. Where a sub-processor necessarily processes data outside the UK / EU, we rely on the standard contractual clauses incorporated in their data-processing agreements, which we have signed.
6. Your rights
Under UK GDPR you have the right to:
- Access a copy of personal data we hold about you
- Rectification of inaccurate data
- Erasure of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Restriction of processing in certain circumstances
- Withdraw consent at any time (e.g. cloud telemetry — Settings → Privacy)
To exercise any of these rights, email [email protected]. We respond within one calendar month.
If you are unhappy with how we have handled a request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Account deletion. When you delete your Drop account, your subscription record is anonymised, your authentication record is removed, and a row is queued for telemetry erasure. Processing typically completes within 24 hours. Stripe and our accounting records retain financial data for 7 years after cancellation as required by HMRC.
7. Retention
| Data | Retention |
|---|---|
| Cloud telemetry | 90 days, then automatically deleted |
| Local telemetry (when opted out) | Stays on your machine — you control deletion |
| Authentication records | Life of your account; deleted on request |
| Subscription records | Life of subscription, then 7 years (HMRC requirement); anonymised after |
| Feedback submissions | 2 years |
| Audit logs (Enterprise tier) | 12 months minimum, longer on customer request |
8. Children
Drop is a professional design-to-code tool not directed at children under 13. Figma's own Terms of Service require users to be at least 13 years old. We do not knowingly collect data from children under 13. If you believe a child has submitted data through Drop, contact [email protected] for deletion.
9. Cookies
The Drop plugin sets no browser cookies. This website sets only strictly necessary cookies — see our Cookie Policy for detail.
10. Changes to this policy
When we make material changes we will notify you via the plugin update flow or this website prior to the change taking effect. The effective date at the top of this document will be updated. Previous versions are archived and available on request.
11. Contact
Questions about this policy or your data:
General privacy: [email protected]
Data Protection contact: [email protected]